For its EU Council presidency, France has many ambitions and projects in the pipeline: Revising the NIS on OSE, improving cyber cooperation between member states, defining the content of the cloud certification scheme.
Revision of the NIS Directive
The first focus of this presidency concerns the negotiation of the revision of the "Network and Information Security" -NIS- Directive. Adopted on July 6, 2016, this text aims at the emergence of a strong Europe that relies on the national capacities of Member States in cybersecurity, the establishment of effective cooperation and the protection of critical economic and societal activities.
The objective is to collectively face the risks of cyber attacks. This text is best known for regulating the IT security of "essential service operators" (ESOs), including energy (oil, gas, electricity), transport, logistics, banking, financial market infrastructure, digital, public administration and space. The revision of the directive is intended to broaden its scope of application, in order to cover more potential victims.
It is also an opportunity to address the subject of the supply chain, in particular by starting to cover digital services companies whose poor security may constitute problematic entry points for their customers.
Cyber cooperation between states
The second priority of the French Presidency is to promote solidarity within the European Union in the event of a cyber attack. In recent years, France, through Anssi, has worked with a strong commitment to establish cooperation networks between Member States, and particularly at the level of CERTs. In this context, the NIS directive created the CSIRTs Network: the first network for cooperation and sharing of technical information between national CERTs.
The french national agency Anssi has already signed an agreement with 7 French regions for the creation of CSIRTs (Cyber Security Incidence Response Team).
As the president of the EU Council, France plans to carry out an exercise that will be an unprecedented opportunity to raise awareness at the political level of the challenges of a high-level cyber crisis, to highlight the Union's action in terms of cyber crisis management and to strengthen European mutual assistance capabilities.
On the other hand, it is not on the agenda to pool direct intervention capabilities on sites, as these come up against a large number of obstacles, notably at legal level.
It is difficult to envisage European sovereignty if the institutions are not able to protect themselves at a significant level. Yves Verhoeven, Deputy Director of Strategy at the French National Agency for Information Systems Security. Anssi
A secured cloud permeable to extra-territorial laws
For the french national agency for information security: "the high-level secure cloud must be technically excellent but also protected against extraterritorial laws". Otherwise, European sovereignty in cyberspace is meaningless. The challenge at the French level is therefore to be able to peacefully make the SecNumCloud certification disappear in favor of a similar European certification , under a common ESCloud label. Last October, Anssi has however published a revised version of its "SecNumCloud" certification to adjust it to new technical and legal requirements.
It is noted that the contours of this label have been revised with the new french government doctrine "cloud at the center". Introduced in May 2021, it allows french CSPs to offer licensed cloud services provided by foreign companies such as Microsoft and Google.
Promoting a trusted European industrial network.
It goes through "the implementation of the European center of industrial and technological competence in cybersecurity" located in Bucharest, Romania. This new center will work with a network of national coordination centers designated by the Member States. It will bring together key European stakeholders, including businesses, academic and research organizations, and civil society associations.
The goal is to build a community of cybersecurity expertise to strengthen and disseminate cybersecurity expertise across Europe.
As we know, future conflicts will be based on the cyber threats, so it is more than urgent that Europe provides itself with the best preparation.
The rollout of an Europe-wide stress test and the future European Cloud certification scheme may contribute to this.
As the driving force behind the negotiations during the first half of 2022, France is indeed in the front line.